Agari researchers have found that threat actors are attempting to take advantage of the California wildfires for malicious purposes, specifically, a Business Email Compromise (BEC) campaign. Threat actors are distributing emails that purport to be from the CEO of an unnamed company that requests that the recipient send help to assist clients who have been “caught up in the California wildfire disaster.” Interestingly, the actors do not explicitly ask for funds to be transferred, but instead asks the recipient to purchase and subsequently send him/her the card redemption codes listed on four Google Play gift cards valued at $500 USD each. The broken English in the email indicates that the actors are likely not native English-speakers, and the use of Google Play gift cards is an interesting way to acquire illicit funds that are essentially untraceable.

Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful to inform employees that after a natural disaster or major political event, threat actors will theme their malicious activity about what just occurred.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.